- Installing Security Suite
- Introducing Security Suite
- Backend Configuration
- Need Customization?
Magento 2 Security Suite minimizes the vulnerability of your store with a set of powerful 'anti-hacking' tools. Those include advanced password validity and verification settings, 2FA, scanner tool, and more. Additionally, you have a full control over admin sessions and actions along with login attempts.
Compatibility: Magento Open Source 2.2.X, Magento Commerce 2.2.X
Thank you for choosing Aheadworks!
Installing Security Suite
Introducing Security Suite
Magento 2 Security Suite protects your store from an unauthorized access, malware, and hack attacks. The extension grants you a range of options to take the security of your online store to the next level:
- Two-factor authentication;
- Advanced password verification procedure;
- Lock user function;
- MageReport.com Scanner, etc.
The extension is a combination of the best-proven solutions giving you a total control over your store 24/7.
Decide who can access your store as an admin. Detect login attempts, monitor actions made by admin users, and receive email notifications of Magento admin activities. With this security extension for Magento 2, you will get a holistic picture of what happens in your store.
- Log in to your Magento Admin Panel.
- Go to Stores > Settings > Configuration > Neklo tab > Security Suite > General Settings.
- Set the 'Is Enabled' option to 'Yes'.
- Click on the 'Save Config' button to apply the changes.
Advanced User Validation
Advanced Password Validation Settings allow you to set the advanced password requirements to reduce the possibility of password cracking.
- To access the settings, go to Stores > Settings > Configuration > Neklo tab > Security Suite > Advanced Password Validation Settings.
- To unfold the list of the password requirements, choose 'Yes' in the 'Use advanced password requirements' field.
The advanced settings include the 'Minimum Password Length', 'Use both lower and upper-case letters', and 'Use special chars' fields. It is recommended to set all these options to 'Yes' to increase the security of your passwords to maximum. The minimum password length should be not less than 7 characters.
Password Lifetime Settings
Password Lifetime Settings allow you to configure various time restrictions for users’ passwords.
To view the 'Password Lifetime' settings, go to Stores > Settings > Configuration > Neklo tab >Security Suite > Password Lifetime Settings.
Password lifetime restrictions include the following:
- 'Password Lifetime (days)' allows choosing how many days the passwords will be used. It is recommended to set the password lifetime to no more than 90 days. Upon expiration of this period, the user will be notified to change his/her password in the Admin Panel.
- 'Password Lifetime (successful logins)' allows setting the number of logins before the password should be changed. For example, after 30 successful logins the user will not be able to login with the old password.
- 'Password change' notifies the user when the password lifetime expires. If set to 'Recommended', a small window will appear at the top of the page telling it is time to change the password. If 'Forced', the system will force the user to change the password by constantly redirecting him to the 'Account Settings' page.
- 'Maximum Login Failures to Lockout Account' regulates the number of maximum login attempts before blocking the user. After the successful login, the number of previous login failures is accumulated for the rest of the password lifetime.
'Lockout Mode' allows defining whether the user blocking will be temporary or permanent. In 'Lock Time (minutes)', you can set up the period in minutes. The account will be unlocked after the lock time (in minutes) expires. Permanent mode locks users permanently until the account is manually unblocked.
Before enabling 2FA, you need to create and configure an account at Twilio.com.
Please note that NEKLO is not currently associated with Twillio so this service may charge fees for its functionality. If you have any issue with your Twillio account, please contact the support at firstname.lastname@example.org.
To connect your Twillio account to your Magento store, complete the following steps:
- Log in to your Twilio account and open the 'Authy' section.
- Create a new application by following the instructions.
Go to Authy > Name > Settings and configure the settings according to your preferences.
Those are the recommended settings required for the smooth work of the extension:
• 'Authentication via SMS' - Enabled;
• 'Force SMS' - Disabled (please use this configuration only in case if the 'Sync tokens in Authy app' option is enabled);
• 'Force Phone Calls' - Disabled;
• 'Sync tokens in Authy app' - Enabled.
After the settings are configured, you can copy your production API Key at the top of the page. You will need it for the further extension configuration.
Two-Factor Authentication (2FA)
This set of settings allows you to choose how 2FA will be performed in your Magento store.
To view the 'Two-factor authentication (2FA)' settings, go to Stores > Settings > Configuration >Neklo tab > Security Suite > Two-factor authentication (2FA).
There are several work modes for the 2FA to choose from:
- IP Whitelist. This setting is needed to enable admin access only for specific IP addresses. If the setting is enabled, it is necessary to add admin IP addresses to the 'Allowed IP list' field. If no IP addresses are added, no admin user will be able to login to the admin panel.
'Allowed IP list' is the field where you need to add the appropriate IP addresses with the 'Add' button.
Click 'Save Config' to apply the changes.
2. SMS Code. If enabled, this mode allows sending codes for authentication to the mobile numbers stated in the user general settings. It is necessary to complete the following steps for SMS Code to work. Insert the Twillio API key into the 'Authy API key' field to connect your Magento store with the specific Twillio account.
Add phone number for at least one Magento admin user in System > Permission > All Users >The required user.
Click 'Save Config' to apply the changes.
Please note that 2FA will be enabled only after at least one admin user verifies his/her mobile phone number with Twillio. The verification instructions are described below.
3. Both (SMS code with IP Whitelist). This mode requires the user to complete both 2FA steps. The user’s IP should be listed in the IP Whitelist. Then, the user needs to complete SMS code verification.
4. Combined (SMS code or IP Whitelist). In this mode, if you login to the admin area not from the whitelisted IP, you will be redirected to the confirmation page. There you need to enter the security code sent by SMS. Please note that the SMS verification will work only if the user has verified his/her mobile phone number with Twillio.
Twillio Verification Process
- Make sure you have entered a valid API Key from your Twillio account and added your IP in the allowed list.
- Proceed to System > Permission > All Users. If the 2FA feature is enabled, there will be a new required field - 'Phone Number'.
- Phone Numbers must be inputted for every user. If the user does not have a phone number assigned and his/her IP is not in the 'Allowed IP' List, he/she will not be able to log in as an admin.
After you enter a phone number in the particular fields and saved the changes, this phone number must be confirmed. You will get a text message with the verification code sent to the specified phone number.
Once you have entered a verification code and saved the user, you will see a message that the phone number has been verified.
For all users that setup that used their username and password upon login, they will receive a verification code on their mobile device in SMS or via the Twillio Authy application during Magento admin login.
The system will require a second prompt for security code. Only upon entering the security code, will the user be allowed to login to the Magento instance.
You need to enter this security code on the login page and click on the 'Confirm' button.
And now your account will be successfully logged in to the Admin Panel.
This feature schedules an automatic scan of your Magento Instance. All scan results are listed in the Magento Admin Panel. You can manually rescan your store any time.
To view the 'MageReport.com Scanner' settings, go to Stores > Settings > Configuration > Neklo tab > Security Suite > MageReport.com Scanner.
To enable MageReport automatic scanning, choose 'Yes' in the 'Is Enabled by Cron' field. If enabled, the scan is executed once per day at midnight of the server’s local time by cron.
The 'Rescan' button allows you to run Magereport check immediately.
Notification Settings allow you to select the specific Magento activities that will be send you via email.
- To view the 'MageReport.com Scanner' settings, go to Stores > Settings > Configuration >Neklo tab > Security Suite > Notification Settings.
- To enable email notifications, choose 'Yes' in the 'Is Enabled' field.
In the 'Sender' field, you can specify the email sender. Sender emails are taken from Stores >Settings > Configuration > General > Store Email Addresse.
In the 'Event List' field, you can select which admin user activities you want to be notified of.
In the 'Recipients' field, you can add and delete the users who will get email notifications.
Click 'Save Config' to apply the changes.
Here is an example of how the email notification from Security Suite looks like.
This Neklo Security Suite extension starts the logging process immediately after it is installed. From that moment, the extension starts collecting admin activity logs. The info is stored in separate database tables and can be viewed and managed in the 'Login Attempts' and 'Action Logger' grids.
To view logger settings, go to Stores > Settings > Configuration > General > Logger Settings. These settings include the following:
Action logger lifetime (Days). You can manage for how long the logs will be stored on your server and in the 'Login Attempts' grid (in days). The data will be removed from the database once the specified number of days has passed.
Login Attempts Lifetime (Days). Here you can choose for how long the login info will be stored on your server and in the 'Account Logger' grid. The data will be removed from the database once the specified number of days has passed.
Is Export Enabled. This setting allows you to export file automatically before the data is removed from the server. Files are stored under the var/export folder.
- Click 'Save Config' to apply the changes.
The Security Suite extension provides log truncation rules that allow you to delete the data older than the lifetime value specified. Logs are stored on the server under the var/export folder.
Login Attempts Grid
The 'Login Attempts' grid reflects all login attempts and extensive information about them. The grid is located under System > Security Suite > Login Attempts.
Action Logger Grid
The 'Action Logger' grid shows all actions made by admin users. The grid is located under System > Security Suite > Action Logger.
Admin Sessions Grid
You can find the 'Sessions' grid following My Account > Account Settings and then scrolling down. There you will see a table with all the admin sessions, both active and expired.
Thank you for using this extension. You will find more our great solutions for Magento here: store.neklo.com.
You can always find the latest version of the software, full documentation, demos, screenshots, and reviews on http://ecommerce.aheadworks.com
License agreement: https://ecommerce.aheadworks.com/end-user-license-agreement/
Contact Us: http://ecommerce.aheadworks.com/contacts/
Copyright © 2018 Aheadworks Co. http://www.aheadworks.com